[
https://issues.apache.org/jira/browse/THRIFT-3893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer resolved THRIFT-3893.
--------------------------------
Resolution: Fixed
Assignee: Jens Geyer
Fix Version/s: 0.10.0
Fixed by removing the relevant call, since gofmt is not mission critical. If
someone has a more elaborate patch to re-enable that feature, please file a new
ticket.
> Command injection in format_go_output
> -------------------------------------
>
> Key: THRIFT-3893
> URL: https://issues.apache.org/jira/browse/THRIFT-3893
> Project: Thrift
> Issue Type: Bug
> Components: Go - Compiler
> Affects Versions: 0.9.3
> Reporter: Felix Groebert
> Assignee: Jens Geyer
> Labels: security
> Fix For: 0.10.0
>
>
> format_go_output runs gofmt on a file_path which is derived from the service
> name. If a malicious user is able to provide a service name to a framework
> invoking thrift, a user-supplied service name could lead to shell command
> injection.
> A potential fix would be to escaping on the file_path or ensuring that it
> adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
